Attacker tricked Amazon customer service into disclosing user's personal info - three times!

On three separate calls, an attacker used social engineering techniques to trick a representative of Amazon's customer service into disclosing a user's personal information.

An Amazon user named Eric Springer described how it all started with an email from Amazon's customer service thanking him for reaching out:

Attacker tricked Amazon customer service into disclosing user's personal info - three times!

Curious, Eric contacted Amazon's customer service only to discover that someone claiming to be him had contacted a representative of the popular e-commerce company and had tricked them into disclosing his real shipping address and phone.

The attacker succeeded in their effort by providing the representative with a fake address: a nearby hotel's address that Eric had used to set up some domains, knowing that the whois information would eventually become public.

Eric was shocked:

"Wow. Just wow. The attacker gave Amazon my fake details from a whois query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card."

But the social engineering attacks did not stop there.

After requesting that customer service not provide anyone with his personal information, Eric received another email from Amazon a few months later. This led to another call with customer service, which provided Eric with a transcript indicating that the attacker had (unsuccessfully) attempted to social engineer a representative into providing them with his credit card number.

Amazon transcript

By this point, Eric had had enough, so he removed his address from his account.

Unfortunately, that didn't prevent him from receiving another correspondence from Amazon customer service some months later. This time, the attacker had contacted Amazon by phone, so there was no way to obtain a transcript.

Given the progression of the social engineering attacks, Eric is convinced that Amazon forfeited his credit card number to the attacker.

"At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it’s hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks."

Amazon email

News of this story had already made its way around the web, including to Reddit, where former customer support employees (albeit not from Amazon) have outlined the social engineering training they had received and expressed dismay at Amazon's failure to provide the same training:

"How can a company as big as Amazon not have stronger privacy polices? When I worked customer support they drilled it into our heads that the most common means of fraud was social engineering, and they gave us workshops on how social engineering works and what to look out for. These employees need to be retrained ASAP."

Not surprisingly, Eric has a few recommendations for Amazon and for companies everywhere. Above all, he suggests that companies need to be careful when taking customer support calls and that they should verify the customer's IP address with on-staff support agents.

As for ordinary users, you can learn more about social engineering attacks.

It also might be a good idea to enable two-factor authentication on your Amazon account and on whichever other accounts offer this service.

It won't necessarily protect against social engineering attacks directed at company's support teams, but it could complicate the plans of an attacker who is looking to compromise your account.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

3 Responses

  1. coyote

    January 25, 2016 at 10:09 pm #

    'As for ordinary users, you can a href="http://www.tripwire.com/state-of-security/ …'

    Syntax error causing your link to tripwire.com to not be a link.

    My remark: It is incredibly ironic when someone suggests Google over another organisation when considering privacy. I grant you that Amazon did a terrible job here but it isn't like Google has a good reputation when it comes to privacy (quite the opposite), either.

  2. Techno

    January 26, 2016 at 2:51 am #

    Giving a fake address is usually a breach of contract. Should have opted for a private registration or paid for a mailbox address.

  3. Dominic Batstone

    January 26, 2016 at 2:34 pm #

    I use the UK site all the time and rarely the .com site. On .co.uk the 2FA option was not visible but I setup 2FA on the .com site anyway. "United Kingdom" was actually in amongst "G" when using the dropdown for "Country Code"! When I visited .co.uk and logged in, it sent me a code for 2FA, so looks like you need to set it up on .com possibly for all regions????

Leave a Reply